What information do you want? More precisely, for what purpose do you intend to use it? nmap gives you information based on its database of server response fingerprints. That doesn't let the server disguise itself except in specific reaction to nmap. Is that what you want? Or is the server's own declaration of who it is enough information?
–
GillesJun 8 '11 at 20:38

3

Oh, and please learn to use tags already. We have over a thousand to choose from! Your question isn't remotely related to Linux.
–
GillesJun 8 '11 at 20:40

as I described it: "get info about the webserver" - "Google httpd 2.0 (GFE) is enough" - how can I say it more precisely, that e.g.: "Apache 2" etc. what's not clear in this? just say it, and I will update!
–
LanceBaynesJun 9 '11 at 9:42

Otherwise, if you want to use Nmap, there are some ways you could speed things up.

Use -n to avoid doing name resolution

Use --version-light or --version-intensity 0 to reduce the number of probes sent. This won't have an effect for most HTTP servers, since the default probe is usually the one that matches.

Use -Pn to skip host discovery. You already have this as -P0, which works, but is older syntax.

All together, these will save a few milliseconds. Unfortunately, the 6 seconds that you are seeing is Nmap waiting for the server to send data first. Nmap tries service detection probes in a particular order: first the NULL probe (wait for server to send first), then any probes that are "for" the port being scanned, then any other probes with a rarity less than the version intensity (default 7). The probes and their ports and rarities are defined in the nmap-service-probes file, which you could edit. This is a global setting, though, so you will be making Nmap less useful for general version detection if you edit it. Find the Probe TCP NULL line, and change the totalwaitms value below it to something small, like 100. It should look something like this:

# This is the NULL probe that just compares any banners given to us
##############################NEXT PROBE##############################
Probe TCP NULL q||
# Wait for at least 6 seconds for data. It used to be 5, but some
# smtp services have lately been instituting an artificial pause (see
# FEATURE('greet_pause') in Sendmail, for example)
totalwaitms 100

To avoid messing up Nmap for all other scans, make a copy of the nmap-service-probes file and refer to its location with the --datadir option. Here is the result I got: